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Abstract 

We provide algebraic semantics together with a sound and complete sequent calculus for informa- 
tion update due to epistemic actions. This semantics is flexible enough to accommodate incomplete 
as well as wrong information e.g. due to secrecy and deceit, as well as nested knowledge. We give 
a purely algebraic treatment of the muddy children puzzle, which moreover extends to situations 
where the children are allowed to lie and cheat. Epistemic actions, that is, information exchanges 
between agents A, B, . . . S A are modeled as elements of a quantale. The quantale (Q, \J, •) acts 
on an underlying Q-right module (M, \J) of epistemic propositions and facts. The epistemic content 
is encoded by appearance maps, one pair /J} 7 : M — » M and f^:Q^Qof (lax) morphisms for 
each agent A 6 A, which preserve the module and quantale structure respectively. By adjunction, 
they give rise to epistemic modalities H12II . capturing the agents' knowledge on propositions and ac- 
tions. The module action is epistemic update and gives rise to dynamic modalities 0211 — cf. weakest 
precondition. This model subsumes the crucial fragment of Baltag, Moss and Solecki's (6] dynamic 
epistemic logic, abstracting it in a constructive fashion while introducing resource-sensitive structure 
on the epistemic actions. 

Keywords: Multi-agent system, epistemic logic, linear logic, dynamic logic, sequent calculus, 
quantale, Galois adjoint, muddy children puzzle. 

1 Introduction 

Consider the following well-known puzzle. After n children played in the mud k of them have mud 
on their forehead. They can see each other's foreheads but not their own ones. Their father initially 
announces "At least one of you has mud on his forehead!". Then he asks: "Is it you who has mud on his 
forehead?". Typically the children will all together answer: "I don't know!". Again father asks: "Is it 
you who has mud on his forehead?", and again typically the children will all together answer: "I don't 
know!". It turns out that after k — 1 rounds of father's question and the children's "I don't know!"- 
answers the ones which have mud on their forehead will now all know this. Indeed, in the case of k = 1 
the dirty child knows that it must be him who is dirty since all the other children are clean. In the case 
k = 2 the two dirty children see only one other dirty child, so after a round of "I don't know ["-answers, 
they realise that they must be dirty since in the case of only one dirty child that child should have known 
this already in the first round. This argument extends to arbitrary k > 2 by induction. 

This Muddy Children Puzzle exposes the need for a logical account of actions and agents as dy- 
namic and epistemic resources in situations involving information exchange. Indeed, repetition of the 
same announcement provides new information to the children. In particular, these dynamic resources 
constitute the use-only-once resources of Girard's Linear Logic ifTTl . In linear logic, as compared to 
ordinary logic, premisses cannot be copied nor deletedQ We will also deal with epistemic resources: 



1 Strictly speaking we are only considering the multiplicative fragment of linear logic of which the non-linear counterpart 
is intuitionistic logic. 
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presence of agents within a context, or availability of these agents as computing resources for other 
agents, affects the validity of deductions and execution of some actions by other agents. E.g. for the 
children to make the correct conclusion they need to take into account the capabilities of other children 
to make deductions. In other words, some deductions are only valid in the presence of certain other 
agents. Our intuitionistic sequences 

mi, . . . ,qi, . . . , Ax, . . . ,m k , . . . ,q h . . . ,A n \- 5 

consist of different types of formulas and for example can contain propositions mi, . . . , m^, actions 
gi, . . . ,qi and agents A\, . . . A n , which resolve into a single proposition or action S. Also, a deduction 
might not be valid in the "real world" while it is valid in the world as it appears to an agent. 

To cast all this in mathematical terms we rely on order-theory. A proposition a is implied by a 
proposition b iff b < a. An action p is less deterministic than an action q, i.e. p = q 'or' p = q', iff 
q < p. Actions can be performed one after the other and in order to be able to reason with them we 
require distributivity of 'composition' over 'or'. The resulting structure is a quantale. Quantales have 
been used as semantics for non-commutative Intuitionistic Linear Logic ll39l . which itself traces back 
to Lambek calculus ETl FI The quantale acts on a sup-lattice of propositions. Both the quantale and the 
sup-lattice come equipped with modal operators which capture the epistemics. They will allow to en- 
code incomplete knowledge, e.g. due to secrecy, wrong knowledge, e.g. due to deceit, and nested knowl- 
edge, i.e. one agent's knowledge on some other agent's knowledge, possibly yet again about some other 
agent's knowledge, and so on. Technically these modal operators are so-called (lax-)endomorphisms of 
the above structure, one endomorphism-pair for each agent. Their Galois adjoints will stand for knowl- 
edge. The pair of a sup-lattices and a quantale without the modal operators have previously been used 
in concurrency [Q~l|34l and quantum logic iPTOl . Boolean algebras with adjoint operators, called Galois 
algebras, have previously been used in temporal logic lfl9l . 

Our algebraic semantics and sound and complete sequent calculus further conceptualize and ab- 
stract the usual Kripke semantics and Hilbert-style axiomatic logic for such situations e.g. the dynamic 
epistemic logic of Baltag, Moss and Solecki [5, 6] (BMS), which is a PDL-style logic to reason about 
epistemic actions and updates in a multi-agent system. Applications are secure communication, where 
issues of privacy, secrecy and authentication of communication protocols are central, software reliability 
for concurrent programs, AI, where agents are to be provided with reliable tools to reason about their 
environment and each other's knowledge, e-commerce, where agents need to have knowledge acqui- 
sition strategies over complex networks. The standard approach to information flow in a multi-agent 
system has been presented in lfl2l but it does not present a formal description of epistemic actions and 
their updates. The first attempts to formalize such actions and updates were done by Gerbrandy and 
Groenveld lfT4l [T31 [T6l and Plaza OTTl . but they only studied a restricted class of these actions. A gen- 
eral notion of epistemic actions and updates was introduced in J5]|6). However, in this approach there 
is no account of resources in the underlying logic, and more importantly, the operations of sequential 
composition of actions and updating are concrete constructions on Kripke structures, rather than being 
taken as the fundamental operations of an abstract algebraic signature. In view of the purely Boolean 
nature of these Kripke models it is also worth stressing that in our proof of the Muddy children puzzle 
we essentially only reason by adjunction, both in terms of dynamic and epistemic residuals, but not 
assuming the lattice of proposition to have complements nor for it to be distributive. 

We proceed as follows. First we introduce the objects of our algebra, epistemic systems, and justify 
their axiomatic structure. We use our setting to analyze the Muddy Children Puzzle and some of its 

2 Quantales are to complete Heyting algebras what monoidal closed categories are to Cartesian closed categories, respec- 
tively providing semantics for Intuitionistic Logic, and for non-commutative Intuitionistic Linear Logic, including Lambek 
calculus. 
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more interesting and newer variants, involving lying children or secret communication, as well as (a 
simplified version of) the Man-In-The-Middle (MITM) cryptographic attack. We give examples of our 
structure and briefly explain how models of BMS [6] are instances of it, referring the reader for details 
of construction to [36 ]. Next we introduce the sequent calculus and give a summary of the completeness 
proof, referring the reader for the full proof to IT361 . We illustrate the use of the sequent calculus by 
proving a weak permutation property for our epistemic and dynamic modalities and by encoding and 
deriving a property of the MITM attack. We conclude with suggestions for further elaboration. 

2 The algebra of epistemic actions and epistemic propositions 

A sup-lattice L is a complete lattice and a sup-homomorphism is a map between sup-lattices which 
preserves arbitrary joins. We denote the bottom and top of L by _L and T respectively, and its atoms by 
Atm(L). A sup-lattice is atomistic iff each element can be written as the supremum of the atoms below 
it. Every sup-homomorphism /* : L — » M has a right Galois adjoint /* : M — > L, i.e. 

/*(o)<6^a</,(6), 

which preserves arbitrary infima. We denote an adjoint pair by /* H /*. In computational terms, the 
right Galois adjoint /* assigns weakest preconditions to its arguments, given the program f*. 

A quantale is a sup-lattice Q with a monoid structure (Q, •, 1) which distributes over arbitrary joins 
at both sides. Since for all a € Q the maps a • — : Q — ► Q and — • a : Q — > Q preserve arbitrary joins 
they have right Galois adjoints 

a • — H a \ — and — • a H — / a , 

explicitly given by 

a\b := \J{c £ Q \ a • c < b} and b / a := \J{c € Q \ c • a < b}. 

A map / : Q — ► Q is a quantale homomorphism if it is both a sup-homomorphism and a monoid- 
homomorphism. It is a lax quantale homomorphism if it is a sup homomorphism and if 

1</(1) and f(a . b) < /(a) . /(&) . 

Examples of quantales are: the set sup (L) of all sup-endomorphisms of a complete lattice L ordered 
pointwisely; the set of all relations from a set X to itself ordered by pointwise inclusion — this quantale 
is isomorphic to sup(V(X)); the powerset of any monoid with composition extended by continuity. 

Since quantales are monoidal closed categories they provide a semantics for non-commutative In- 
tuitionistic Linear Logic |39l [T71 [Q : linearity of monoidal closed categories follows by the absence (in 
general) of natural morphisms : A — > A (g) A and left and right projections p\ : A B — > A and 
P2 : B g) A — s- A, and hence quantales (in general) do not satisfy a < a • a nor a»b < a nor a»b < b 
(where now • is the monoidal tensor Cg). Note that quantales have more operators (than multiplicatives), 
with regard to which they are not resource-sensitive, for example we have similar inequalities for the 
meet of the quantale, that is we have that a < a A a, and also a A 6 < a and a A 6 < b. 

A Q-right module for a quantale Q is a sup-lattice M with a module action 

: M x Q ^ M 

which preserves arbitrary joins in both arguments, 



m ■ 1 = m and m ■ (q± • 52) = ("Z • 91) • 92 
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for all m € M and all (ft, #2 S Q- We have two adjoint pairs 



— • q H [g] — and m • — 



H {m}— where 



[q]m := \J {m! € M \ m! ■ q < m} and {m}m' : 




For example, a quantale Q is a Q-right module over itself with composition as the action and a 
complete lattice L is a sup(L)-right module with function application as the action. For details on 
quantales, Q-modules and also Q-enrichment we refer the reader to lf26l[33l[35l[37l . For applications of 
these in computing, linguistics and physics we refer the reader to |[Tl [T0ll22ll27l[30l[34l . 

Definition 2.1 [1] A system is a pair (M, Q) with Q a quantale and M a Q-right module. 

Definition 2.2 A system-endomorphism (M, Q) — (M, Q) is a pair (f M : M -> M , / Q : Q -> Q) 
where / A/ and are both sup-homomorphisms, and for all m € M and q,q' £ Q we have 



Definition 2.3 An epistemic system is a tuple (M, Q, {iUjyle./O where (M, Q) is a system and {fA}AeA 
are system-endomorphisms. The elements of A are called agents, the elements of Q epistemic actions 
and the elements of M epistemic propositions. The system-endomorphisms are called appearance maps. 

Epistemic Propositions. We interpret the elements of the module as epistemic propositions and their 
order relation m <m' for m, m! € M as logical entailment m h m'. The epistemic proposition /^(m) 
describes how the world appears to agent A: it comprises all propositions that agent A believes to hold 
whenever m holds in the 'real world'. Two extreme examples are {m) = T, which corresponds 
to absence of any knowledge whatsoever, and f^{m) = m, which stands for complete knowledge. If 
for m, m! G M we have f¥{rn) < f¥(m') then agent A possesses strictly more (possibly incorrect) 
knowledge on m than on to'. It also follows that fj£ indeed needs to be covariantly monotone — the 
additional preservation of suprema will assure existence of epistemic modalities (see below). If for 
to € M we have fjf(m) < /Jf (m) agent A possesses strictly more (possibly incorrect) knowledge on 
to than agent B. But indeed, this knowledge is not necessarily correct! If for m, m' G M with to j£ m' 
we have f^{m) < to' then agent A believes incorrect information to be true, e.g. due to deceit of 
another agent, a malfunctioning communication channel, corrupted data etc. If the module is atomistic, 
then the atoms can be thought of as states — cf. Kripke structures representing epistemic scenarios (see 
also the following section and El and ll36l ). 

3 Our notion of system endomorphism also differs from the one in the literature, (e.g. 1261 and categories of modules for 
rings) in that we consider non-trivial homomorphisms on the quantale, a so-called change of base. Explicitly, we do not have 
f(m ■ q) — f(m) ■ q for a system endomorphism /. 



fQ(q.q') < f Q (q).f Q (q') 



(1) 




(2) 



(3) 
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Knowledge and/or belief. For each agent A G A let be defined by f^f H D^. By adjunction 
we have m < Oj[<m' if and only if f^{m) < to', that is, "when proposition m holds, agent A 
knows/believes to'". Hence D^ro stands for agent A's knowledge/belief on to. This modality indeed 
covers both knowledge and belief: in contexts where no wrong belief is allowed, we read it as knowledge 
ox justified true belief, and otherwise, justified belief. Since is a right Galois adjoint we have 
(Ai m i) = Ai O^uii. Hence it preserves the empty and binary meets, and is monotone: 

□a T = T Uf (to A to') = Ufm A to' = m ' . 

A I A A D M m < u M m , 

When M is a. frame (= complete Heyting algebra (241) we can internalize the partial order using the 
defining property of a Heyting algebra. In the special case that Q = {1} and A = {*} we obtain 
the intuitionistic modal logic IntKn of (38). If M is moreover a complete boolean algebra (e.g. the 
powerset of its atoms) then Kripke's axiom K follows i.e. 

Uf (to -> to') (D^to -> Ufm'). 

Diamonds and corresponding rules arise in that case by duality. If M is atomistic and the set of atoms 
are denoted by S then to each f^f one can assign an accessibility relation -4 C S x S by setting 

It is this relation which is primitive in ordinary epistemic logics rather than appearance maps. But in 
our setting, in general, this accessibility relation turns out not to be reflexive, nor (anti-)symmetric, nor 
transitive e.g. positive introspection Q^ro < D^D^to does not hold in general. 

Epistemic actions. We interprete the elements of the quantale as epistemic actions where the order 
is information ordering: if for q, q' £ Q we have q < q' then q' is less deterministic than q. The 
suprema \j i q% in the quantale, similar as in HKm, stand for non-deterministic choice. The action 
fjl(q) captures how q appears to agent A. The appearance maps allow to accommodate actions such 
as information hiding or encryption, by q < f^(q), and misinformation such as lying, cheating and 
deceit by q % /?(?)• Analogously to the case of propositions, setting /? H uH stands for agent A's 
knowledge/belief on q i.e. "when action q is happening, agent A believes action q' to be happening". 
These epistemic modalities satisfy the same properties as Oj(. If the quantale is atomistic then its 
atoms can be interpreted as deterministic actions. 

Sequential composition. The quantale multiplication stands for sequential composition of epistemic 
actions. The multiplicative unit 1 is the void epistemic action, that is, nothing happens, sometimes re- 
ferred to as skip in literature (cf. EH). We do not require (1) = 1 but only 1 < 7^(1) since this 
enables us to accommodate suspicions, cf. eq.©. By this we mean that even when nothing is happening 
one could still suspect that something hidden might be happening, say q, resulting in (1) = 1 V q. 
Suspicions are for example important for applications to protocol security, see ll36l ch. 5 for some exam- 
ples. On the other hand requiring 1 < /^(l) imposes rationality of the agent (vs. insanity): if nothing is 
happening then the agent considers nothing to be happening at least as an option. This argument carries 
over to appearance of sequential composition, again subject to a rationality requirement, and suspicions 
cause laxity, cf. eq.©: 

f% . i) = f%) = /%) . i < f%) . f%(i) . 
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Other situations where we have a strict inequality arise when q • q' = _L and thus fjf(q • q') = -L, 
but fjy(q) • f^iq') ^ -L again due to the fact that the agent might suspect more options then what is 
actually happening — for a detailed discussion and a concrete example see [36]. 

Epistemic updating. The action of the quantale on the module encodes the crucial notion of epistemic 
updating. After performing an epistemic action q E Q on an epistemic proposition m G M we obtain a 
new epistemic proposition m ■ q € M. Each agent updates his knowledge according to how he perceives 
the epistemic action, so f^(m ■ q) relates to f^(m) ■ f^(q). Again suspicions impose laxity, cf. eq.©: 

/f (m • 1) = /f (m) = /iV) • 1 < fi'irn) ■ , 

and we can have situations where an action q cannot apply to a proposition m, that is m ■ q = _L, and 
thus fjf(m ■ q) = _L, but the appearance of the action can apply to the appearance of the proposition, 
that is f^{m)-f^(q) ^ _L — for a detailed discussion see [36]. Situations where some of the suspected 
alternatives yield contradiction after update yield a process of learning (or acquiring more information): 
the agent will eliminate his contradiction-leading views and not anymore consider them as true options. 

Dynamic modalities. Since both update — • — and quantale multiplication — • — preserve suprema in 
both arguments, a range of residuals arise, namely 

— " Q ~l [q] — m ■ — -\ {m} — q • — H q\ — — • q H — jq 

for each m € M and each q E Q. The residual [q]— is the dynamic modality of dynamic logic [21], that 
is, weakest precondition. We read [q]m as "after program q proposition m holds". On the other hand, 
m ■ q is the strongest postcondition. The other ones are variants on these e.g. see II221 . In particular the 
ones with respect to sequential composition correspond to the residuals of Lambek calculus [27 ] and 
the linear implications of non-commutative Linear Logic. 

Kernel. If m ■ q = _L then q cannot be applied to m. We define a kernel for an action q € Q as 

Ker(q) := {m G M \ m ■ q = _L}, 
i.e. as the co-precondition of an action q (= the dual to the so-called precondition of q). Since 

Ker(q) =i(\J Ker(q)) , 

"not being in the precondition of q" exists as a proposition in M for all q € Q. Also note that the kernel 
of each action is the weakest proposition to which the action cannot apply, that is Ker(q) = [q]-\— 

Stable facts. Each epistemic system has a non-epistemic part, referred to as facts, being the proposi- 
tions which cannot be altered by any epistemic action. Define the stabilizer of Q as 

Stab(Q) := {(p e M \ Vq e Q ,<p ■ q < (p}. 

It consists of those epistemic propositions which are stable under the epistemic actions, or equivalently, 
< W\P, which expresses preservation of validity of <p: if it is true before running q, it will remain true 
afterwards. To summarize, epistemic propositions both encode actual facts and the knowledge of each 
agent, that is, they have both factual and epistemic content. 
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3 Examples of epistemic actions and epistemic systems 



We present some examples of epistemic actions that can exist in an epistemic system (M, Q, {/aIag-a)- 

• Public refutation of the proposition m G M is an epistemic action q G Q with f®(q) = q for all 
A G A and for which Ker(q) =[m. 

• Private refutation to a subgroup is an action that privately refutes m to the subgroup (3 of agents. 
In this case Ker(q) is the same as above and f^(q) = q for A G (3 and f^(q) = 1 otherwise. 

• Failure test of a proposition m is an action q that tests when m fails. It is a particular case of 
private refutation where m is refuted to an empty set of agents. Hence we have Ker(q) = j m 
and f%(q) = 1 for all A G A. 

• Public announcement is also definable in our setting. However, while "being not in the precon- 
dition of q" is a proposition in M for all q G Q, "being in the precondition of q" in general isn't 
one. To see this consider the lattice {_L < a, b, c < T} with q such that Ker(q) = {_L, a}, then 
both b and c are in the precondition but b V c = T isn't. The reason for this is that this lattice 
is non-Boolean with a not having a complement. Hence public announcement of the proposition 
m G M is an epistemic action g G Q for which /a(q) = <Z and for which \J Ker(q) has a Boolean 
complement (\J Ker(q)) c , satisfying (V Ker(q)) c = m. 

• Private announcement to a subgroup can be defined analogously. 

The Muddy Children Puzzle. This puzzle, explained in the introduction, is a paradigmatic example 
in the standard epistemic logic literature — e.g. ifTSTl . In the usual encodings the communication between 
the father and children (i.e. father's announcement and questions and the children's answers) is not part 
of the actual encoding. Our approach (similar to the one in [3 ]) does allow to encode communications 
and their effects on the agents' knowledge. Our algebraic setting provides us, furthermore, with a semi- 
automatic elegant equational way of doing so. 

We encode the puzzle in an epistemic system. The set of agents A includes the children C\, ■ ■ ■ ,C n . 
We assume that C\ , ■ ■ ■ , Cp, for 1 < k < n are dirty. The module M includes all possible initial 
propositions sp with C A being those children that have mud on their forehead. For example sci,- ,c k 
expresses the "real state" in which C\, ■ ■ ■ , are dirty and C^+i, • •• , C n are clean. Since the children 
cannot see their own foreheads (which might either be dirty or not) we have 

fcA s /3) = s f3\{C,} V Sp u{Ci} . 

Let Dq be the fact that no child has a dirty forehead and let D{ be the fact that the f'th child has a dirty 
forehead, hence we have: 

{D 9 } U {A G M | Ci G A} C Stab(Q) . 

For the propositions and facts we have sp < Di for all Cj G (3 and S0 < Dq, which sets that each 
proposition satisfies the corresponding fact. Let q G Q be a round of all children's "no" answers 
i.e. public refutation of Vfc" ^A, hence Ker(q) =| Vfci n c t Di and f$ (q) = q for 1 < i < n. 
Let qo G Q be father's announcement that at least one child has mud on his forehead i.e. Ker{qo) =[ D$ 
and J® (qo) = qo for 1 < i < n. 
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Proposition 3.1 After k — 1 rounds of refutations, child j for 1 < j < k knows that he is dirty i.e. 

Hc^.m^^^i^PcjDi (4) 

where qo(» q)( k ~^ denotes q Q • q • ■ ■ ■ • q with k — 1 occurrences of q. 

Proof. We proceed by induction on the number k of dirty children. If we move the dynamic modalities 
in eq.© to the left by adjunction we obtain 

,C h} • Qo (• = s {Cl ,.., Ck} • (<7o (•q) {k ' 1) ) < Oc.Dj (5) 

using the module structure. After moving the epistemic modality to the left and by the update inequality 
eq.©, it suffices to prove the following inequality 

fcMc- ,C k} ) ■ QO (• < (* {Cl ,.. ,C k} V S {Cl> ... >Ch}X{Cj} ) ■ q (• q)V-V 

which is equivalent to the following by our assumption about fg 

( s {Ci,-,c k } V s {Cl ,...,c k y\{c j }) ■ Qo (• 9) (fe-1) < Dj ■ 
By distributivity of V over • and the definition of suprema it suffices to prove 

S{Ci, - ,c k } ■ Qo (• q) {k - 1] < Dj and s {Cl> ... ,c k }\{C 3 } ■ Qo (• 9) (fc_1) < Dj . (6) 

We respectively refer to these inequalities as eq.© ) and eq.((6H). First we show that eq.© ) holds for all 
k. Updating both sides of sr Cl) ... Cfe i < Dj by qo (• q)^^ 1 ^ we get 

s {C 1 ,-,G k } ■ QO (• q)^ < Dj ■ q (• q)^ < Dj 

where the last inequality follows by Dj € Stab(Q). Hence eq.©). Now we prove the base case k = 1 
of our induction. Eq.©) is S0 • qo < D\ in this case, which is true since sq < Dq G Ker(qo) so 
S0 • go = -L- To prove eq.©) we use the inductive hypothesis in terms of eq.©. By symmetry of 
{Ci, • • • , Ck} we have 



{<*,.•• ,C fc }\{C,} • (• q) {k ~ 2) < U G .Dj < \/ Ci Di (7) 
so i=1 

8 {C U - ,C k }\{Ci} ■ QO (• q) (k ~ 2) G Ker{q) (8) 



^3 

and hence 

1 = A}\{q,} • 9o (• g) (fc " 2) ) • g = »{G 1) -.-,c fc }\{c J -} • 5o (• q)^ < D 3 

i.e. eq.©), what completes the proof. □ 

Analysing the dynamics of this proof we notice that in each inductive step we show that the epistemic 
state s/Cx,— ,c fc } ' qo (' q)( k ~ 1 * > is included in the kernel of the refutation q — cf. eq.©. This inductive 
update reflects the systematic update of the children's knowledge during the process. Such a dynamics 
is not visible in the proofs performed in static epistemic logic [12] where there is no notion of update. 

This machinery not only enables us to deal with classical epistemic scenarios in a dynamic way, but 
it also provides us with tools to treat (for the first time) other more complicated and realistic versions 
of these epistemic scenarios. As examples, we encode and analyze more complex versions of the above 
puzzle, in which some of the children may lie, or otherwise cheat by engaging in secret communication^ 
as well as an example of a cryptographic attack. 



4 The cheating example was done for Kripke models of BMS by one of the authors |3 |, while the lying example is new. 
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Lying Children. Assume that the same n children are playing in the mud and this time only one of 
them, say C\, has a dirty forehead. Their father does the announcement exactly as in the classical Muddy 
Children Puzzle, and then asks the same question. Now before the first round of answers, the dirty child 
who is a perfect reasoner, follows the proof presented above and by looking around and seeing no other 
dirty child, concludes that he is dirty Cl Di. But instead of announcing the truth in the first round, he 
lies by saying that he does not know that he is dirty. This version is encoded using the same epistemic 
system as muddy children above with the difference that this time we set A; = 1. Let D\ denote the 
proposition that C\ is not dirty (it belongs to the set of facts) and set sp < D\ where C\ (5. Note that 
the situations in which C\ is not dirty satisfy this fact, for example S{Ci} < Al- Denote by q the first 
round of answers that includes child one's lying and the others' "No!" replies. The appearance of this 
action to C\ is the identity since he knows that he is lying fc 1 {q) = q, whereas other children who do 
not know that C\ is lying think that the action q in classical muddy children (truthful public refutation) is 
happening, that is for 1 < i < n we have fc t (<?) = q- The kernel of q is the downset of the proposition 
in which C\ knows he is not dirty and others know that they are dirty i.e. 

n 

Ker(q) =[ {U^Dx V \J n Ci A) • 

i=2 

Proposition 3.2 After the first child's lying and the others' negative answers in the first round, every 
clean child j (with 1 < j < k) thinks (wrongly) that he is dirty i.e. 

s {Cl } < [qo •qp Cj D j . 

Proof. We proceed in the same way as above. By moving the dynamic and epistemic modalities to the 
left and applying the update inequality eq.© we obtain 

fc 3 {s{ Cl }) ■ fc 3 {qo) ■ fcj(q) < Dj . 

By replacing the fc 4 's with their values we get 

( s {Ci} ^ s {CliCj} ) ■ q Q • q < Dj 

and by distributivity we have to show the following two cases (the same as in the classical version above) 

«{Ci} • qo ■ q < Dj and s {Cl>c . } ■ q ■ q < Dj . 

The second case is trivial for the same reasons as classical muddy children. For the first case we use 
eq.® proved by induction above and get ' 90 £ Ker(q) and hence _L = s^ Cl y ■ q$ ■ q < Dj . □ 

Secret Communication. As another example, consider the original n and k version but in which, just 
before the k — l'th round, all but one of the dirty children (say, all except C\), "cheat" by secretly telling 
each other that they are in fact dirty. We denote this action as ir. In the k — l'th round, all these dirty 
cheating children will announce that they know they are dirty (or equivalently refute that they do not 
know that they are dirty) where as C\ answers as usual. We denote this mixed round of answers by 
q' . For the encoding of these actions in epistemic systems, that is their appearance and kernels refer 
to Q. Now following the same line as in the proofs above, we can show that in the /e'th round the only 
non-cheating child C\ will wrongly conclude that he is clean i.e. 

sc lt ...,C k < [q (*q) k ~ 2 •n»q']n 1 D 1 . 

The proof is done similar to the above cases and is presented in detail in Q. 
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A cryptographic attack. This cryptographic attack is a somewhat simplified version of the man in 
the middle (MITM) attack which is a primary defect of public key-based systems. Two agents A and 
B share a secret key so that they can send each other encrypted messages over some communication 
channel. The channel is not secure: some outsider C may intercept the messages or prevent them 
from being delivered (although he cannot read them because he does not have the key). Suppose the 
encryption method is publicly known but the key is secret. It is also known that A is the only one 
who knows an important secret for example if some fact P holds or not. Suppose now that A sends 
an encrypted message to B communicating the secret. B gets the message and he is convinced that 
it must be authentic. Now both A and B are convinced that they share the secret and that C doesn't. 
However suppose that C notices two features of the specific encryption method: first that the shape 
of the encrypted message can show whether it contains a secret or it is just junk, second that without 
knowing the key or the content of the message he can modify the encrypted message to its opposite i.e. 
if it originally said P holds, it will now say that P does not hold. The outsider C will then secretly 
intercept the message, change it appropriately and send it to B without knowing the secret. Now A and 
B mistakenly believe that they share the secret, while in fact B got the wrong secret instead and C has 
succeeded to manipulate their beliefs. 

We can encode this situation in an epistemic system. The agents include {A, B,C} and we call the 
message in which P holds P and the one in which it does not hold P, these are inconsistent facts so 
we have P, P G Stab(Q) and P A P = _L, P V P = T. Let s, t G M satisfy s < P and t < P. 
The only agent that knows if P holds or not is A thus = s and similarly = t. On the 

other hand B and C do not know this so /b(s) = fc(s) = = fc{t) = s V t. The epistemic 

actions that correspond to the cryptographic attack are the following: a in which the message P is 
intercepted, modified and sent to B, (3 in which the message P is intercepted, modified and sent to B, 
a' in which A sends the message P to B, in which A sends the message P to B, and finally 7 which 
corresponds to sending a junk message. Thus {a, f3, a', 0, 7} C Q. In actions a and f3 agent C is 
uncertain about which message P or P has been sent so fc(&) = fc{0) = a\/ (3. On the other hand, 
agent A is sure that he has sent a message (either that P holds or that it doesn't) to B and that B has 
received exactly the same secret i.e. f A (a) = ol and /a(P) = • However if P has been sent, B has 
received P so /s(a) = and the other way around /b(/3) = a'. Further /a (a') = /s(a') = ol and 
f A {0) = f B (0) = ft and f c (a') = f c (0) = a' V V 7. C also considers it possible that only a 
junk message has been sent and that is why he sees 7 while in a' and 0. If a junk message has been 
sent, A and B are sure about it /a (7) = /b(t) = 7 while C is unsure if it was a junk message or P 
or P, thus fc(j) = oc' V V 7. The kernel of each action comprises the states which they cannot be 
applied to i.e. Ker(a) = Ker(a') = [P and Ker(f3) = Ker{0) = [P. 

The epistemic action a V j3 expresses the action of communicating the secret P or P in the above 
scenario. Now let us update the state s with the epistemic action a V j3 and show that after update, if P 
holds, then A knows that B knows that P holds, that is 

s ■ (a V/3) < a A a B P 

Since this is equal to (s • a) V (s • 0) < n A B P and s < P G Ker{0) we get s ■ (3 = _L, so it suffices to 
showthats-a < U A U B P. By adjunction /^(/^(s-a)) < P. By eq.© we get f A (s-a) < fA(s)-fA(oi), 
and order preservation of fg will give us 

fB(f A (s ■ a)) < f B (f A (s) ■ f A (a)) < fB(f A (s)) ■ /fl(/A(a)). 

Now it suffices to show /b(/a(s)) • /b(/a(«)) < P- We do that by replacing f A with its values and 
show /b (s) ■ /b (a') < P, do the same for fg and get (s V t) ■ a' < P, hence (s • a') V (t ■ a') < P which 
is equal to (s • a') < P since t < P G Ker(a'). By the assumption s<Pwe obtain s ■ a? < P ■ a' 
which leads to s ■ a' < P because P is a fact. 
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BMS Models as Epistemic Systems. The Kripke semantics for dynamic epistemic logic as introduced 
in 1U 21 are examples of epistemic systems by the following theorem: 

Theorem 3.3 Models of BMS are epistemic systems (M, Q, {/a}ag^) with the following properties 

1. Both M and Q are completely distributive atomistic Boolean algebras. 

2. If m is an atom of M and q is an atom of Q then m ■ q is either _L or an atom. 

3. If q, q' are atoms of Q then q • q' is an atom. 

4. If m ■ q = _L then either m = _L or q = _L. 

The proof goes by constructing an epistemic system given a model of BMS and is presented in detail in 
ll36l — and is based on ideas introduced in [4]. Key is the observation that each relation R C S xS gives 
rise to a sup-map fn : V(S) — > V(S) i.e. we lift the accessibility relations —>a of the Kripke semantics 
of BMS to appearance maps /a- A model of BMS consists of two Kripke structures, one for the states 
as usual (S, — >Ai h) and one for the deterministic actions (£, — >AiPre) where pre : S — > V(S) assigns 
to each actions a precondition. The state model acts on the action model resulting in an updated state 
model, via a partial cartesian product, that is the epistemic update. Action models act on themselves 
via a sequential composition operation. In order to construct an epistemic system, we close the set of 
'states' (= deterministic actions) of the action model under sequential composition and close the set of 
states of the state model under update. The closure of the states yields the atoms of module and the 
closure of deterministic actions yields the atoms of quantale, and we get a Boolean epistemic system by 
taking their powersets (P(S), 'P(S), {/a}a£a)- Operations of this epistemic system are constructions 
of BMS, e.g. epistemic update and sequential composition extended pointwisely to subsets of states and 
actions. The epistemic and dynamic modalities arise, as before, as adjoints to the lifted appearance and 
update maps, but moreover and because of the boolean complementation we get a de Morgan dual for 
each of these modalities, in particular the de Morgan dual of the epistemic modality (□^(— ) c ) c stands 
for the O-modality of standard epistemic logic. 

4 The sequent calculus of epistemic systems 

We have two different sequent systems, a Q-system and an M-system, both of them are intuitionistic 
in the sense that they have only one formula on the right hand side of the turnstile. The Q-system 
corresponds to the quantale part and the M -system corresponds to the module of a distributive epistemic 
system. By this we mean an epistemic system with a distributive module. 

The Q-system. The formulas of the Q-system, denoted as Lq, are generated by the following syntax: 
q ::=T \ ± \ a \1 \ q»q \ q / q \ q\q \ qV q \ q Aq \ fj(q) | q 

where A is in the set A of agents, and a is in a set Vq of atomic action variables. The sequents of the 
Q-system are called Q-sequents and are denoted as 

r^qq 

where F is a sequence of actions and agents, that is F € (Lq U A)*, and q is a single action, that is 
q € Lq. To assign meaning to the sequents of the Q-system, we introduce 

" Qq ~ ■ Lq X (L Q U A) -> Lq 
11 



by putting 



q® Q A:=f$(q). 



For T = (71, • • • , 7„) € (Lq U A)* we take the convention 

Q r := ((((1 ©q 71) 0q 72) ©Q 73) • ■ ■ ) ©Q 7n • 
Q 

As an example, the sequence F = (q, A, q') corresponds to 

Qr=((l0 Q q) 0q A) Q Q q' = f2(l*q)»q' = f%)*q'. 



Adding the multiplicative unit to the beginning of the sequence will allow us to avoid non-well defined 
0Q-expressions for sequences such as F = A, which will now mean QqA = /^(l). Indeed, the 
operation Qq constitutes our semantic interpretation of the comma for Q-sequents. For simplicity we 
denote the semantics of a formula by the formula itself i.e. rather than {Qq T] and \qj we write Qq F 
and q. The empty sequence on the left hand side stands for 1 and we do not allow for the empty sequence 
on the right hand side. We define a satisfaction relation |=q on the Q-system as follows: 



Or 



< 



We say that a sequent T q' is valid if and only if T \=q q'. In this way we identify any Q-sequence 
T with a Q-formula and its corresponding element of the quantale. 

Ordered monoids have first been used by Lambek to model Lambek-calculus. Yetter showed that 
quantales are models of non-commutative Linear Logic l39l . The extension of these systems to epis- 
temic modalities and quantales with operators is new. So the operational and unit rules for the Q-system 
are the rules for Non-Commutative Intuitionistic Linear Logic, extended with an agent context. In order 
to see the connection with Linear Logic note that our multiplication • is the tensor of Linear Logic, our 
disjunction is the Linear Logic sum, the conjunction is &, and our left and right residuals are o— and 
— o. In a table: 



Q-system 


Linear Logic 


1 


1 


T 


T 


_L 





• 





/ 


0— 


\ 


—0 


V 





A 


& 



The axiom and unit rules of the Q-system are: 
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The operational rules of the Q-system including those on epistemic modalities are: 




As in non-commutative Linear Logic we have no weakening, contraction and exchange rules for actions. 
Our structural rules consist of a restricted version of the usual cut rule and a rule to encode the relation 
between appearance maps and the unit of composition — eq.© in the algebra. These two rules are: 



r k 



q,T" h Q q> 



r',T" h Q q> 



Qcut 



Agent 



The M-system. The formulas of the M -system, denoted as Lm, are generated by the following syn- 
tax: 

m ::= _L|T|p|s|mAm|mVm| [q]m \ m ■ q \ m \ f^(m) 

where A is in the set A of agents, p is in the set $ of facts, and s is in a set Vm of atomic propositional 
variables. The sequents of the M-system are called M-sequents and are denoted as 

r \~m m 

where F is a sequence of propositions, actions, and agents, that is F € (Lm U Lq U A)* and m is a 
single proposition, that is m € Lm- To assign meaning to the sequents of an M-sequent we consider 



©M -:L M x (L M U Lq U A) -» L 



M 



now by putting 

mQ M A:= ff(m) 



m ©M q '■= m - q 



m&M m' ■= m Am . 
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For T = (71, • • • , 7„) € (Lm U Lq U „4)* we take the convention 

Q r := ((((T Q M 7i) ©M 72) Qm 73) • ■ ■ ) 0M 7n • 



As an example, the sequence F = (m, A, .B, m') corresponds to 

Qr = ((((T0 M m) Qm A) Q M q) Qm B) Q m m' = /b(/a(T Am) -g) Am' = / B (/i(m) ■q)Am > . 



M 



Sequences of only one agent T = ^4 will mean A /T = f^(T) and sequences of only one action 
T = g will mean T = T • q. The empty sequence on the left hand side stands for T, here we also 
allow for an empty right hand side, which stands for _L. As before, we denote the semantics of a formula 
by the formula itself. We define 



r (= m m' Q r < m . 



M 



and say that a sequent F \~m m' is va//<i if and only if F \=m m'. In this way we identify any 
M-sequence F with an M-formula and its corresponding element of the module. 

The rules of the M-system correspond to a distributive lattice logic extended with an agent context 
for our epistemic modalities. The axiom and unit rules of the M-system ard^]: 



m \~m m 



Id 



_L \~m m 



r h 



rh M t 



TR 



The operational rules of the M-system for the lattice operations and modalities are: 



r \~m m 



f¥R 



to, A, T h/u m' 



T, A l~M m , .r 



rh M n> A 

r h-M mi r K M m 2 



/f(m),r h M m' 

m, r \~m m! 
uf{m),A,T^ M m' 



AR 



T \~m mi A m2 
T, mi, T' hjvf m r, m2, r' I-m m 

r, mi v r' 



T,mi,T'\- M m T,m 2 ,T' \- M to 

AL1 ; =r, AL2 



VL 



r, mi A 77i2, T' hjvf m 

T h M mi 
r \~m mi V m2 



Vi21 



r, mi A m2 , r' \~m Tn 
T h M m 2 



T I~m mi V m 2 



Vi?2 



As structural rules, we have prepositional weakening, contraction, and exchange, a restricted version of 
the usual cut rule, and a rule encoding stability of facts under update: 



T, m , m , T \~m m 



contr 



T, m', r" \~m m 
r' h-Af m' m', r" hjv/ m 



Mcut 



T, m , m , T \~m m 
T, m', m", T' hjvf m 

r, r" h M m 



exch 



~M 



r, to', r' i~m to 



weakL 



fact 



T \~m m 



weakR 



s The ±i? rule follows from the weakR rule and thus can be dropped. 
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The M Q-system. Since the core of our approach is the action of the quantale on the module, we also 
have mixed rules for epistemic update and dynamic modality consisting of both M- and Q-sequents: 



m',q,T\- M m 
w! ■ q, F \~m rn 

m' \- M m T q \-q 
[q]m',r Q \- M m 



■L 



DyL 



T, Fa \-m m Fq, Fa \~q q 
F,F Q ,F A \~m m ■ Q 



■R 



F, q \- M m 



F h 



M 



[q]m 



DyR 



The action of the quantale on the module preserves the unit of multiplication, is disjunction preserving 
in both arguments, and satisfies an associativity condition with regard to composition of actions. In 
order to prove the same properties for epistemic update (and dual ones for dynamic modality) in the 
M-system, we should be able to work with the quantale operations in M-sequents. So we have the 
following rules that include for example update with unit, composition, and choice of actions: 



r,r' \~m m 
F, l,r' \- M m 



XML 



T, qi \~m m T, q 2 \~m m 



T, qi V q 2 \~m m 
F Q h-Q q 2 F, q 1 h M m 



\JML 



T,qi/ q 2 ,F Q \~ M m 

T,q 1 ,T' \- M m 
F,qi Aq 2 ,F' \- M m 



/ML 



AM LI 



r,gi,g2,r h M m 

F,qi • q 2 ,F h M m 



qi F, q 2 \- M m . 

r,r Q ,gi \ q 2 \~ M m 

T, q 2 ,F' \~m m 

r A r I AML2 

F,qi A q 2 ,F \- M m 



Note on the cut rules. We have two cut rules in our system: a QCut for the Q-system and an MCut 
for the M-system. Although the Q-system subsumes a quantale logic for which cut is eliminable, for 
example non-commutative Linear Logic or Lambek-calculus, the QCut of our system does not inherit 
this property. We believe this is partly because of the modal part of the logic, that is the quantale en- 
domorphisms and their interaction with the non-commutative sequential composition in eq. (Q~|). This 
equation is encoded in the »R rule, which needs context splitting for actions and context sharing for 
agents. Similarly, the M-cut is not eliminable, partly due to the update inequality eq. © and its cor- 
responding R rule. However (as noticed by one of our referees), in both of these systems the identity 
rules can be reduced to atomics, which is a sign of well-definedness of our system. Studying these proof 
theoretic issues constitutes future work. 



Note on intuitive reading of sequents. To provide the reader with a way to read our sequents in 
natural language, we capture the intuitive meaning of a sequent in the following inductive manner: 

• hfcf m means "proposition m holds in all contexts" 

• h-Q q means "action q does not necessarily have an effect on propositions" 

• r, A, F' \~m fn means "in context F agent A knows/believes, that F' \~m m holds" — this 
captures features of A's own reasoning: F' \~m m is accepted by A in context F as a valid 
argument. 
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• T, q, V \~m m means "after action q happens on context T, the sequent V rn will hold" 

• m, T \~m m means "in context m (in any situation in which m is true), the sequent T \~m rn 
holds" 

• T, A, V \-q q means "in context T agent A knows/believes, that V q holds" 

• q, T \-q q means "after doing action q, the sequent T Hq q holds" 

Observe that the left-to-right order of this intuitive reading is the opposite of the right-to-left application 
order of or comma. This is because the reading involves the (intuitive) notions of knowledge and 
weakest precondition, which are adjoints of the /a and • operations; thus, the intuitive reading can be 
obtained by taking the adjoints (which live on the right-side of turnstile) of the formulas on the left-hand 
side of a sequent. For instance, the sequent m, A,B \~m rn' after applying commas on the left would 
mean fif{f¥( m )) — m> , an d a f ter applying the adjoints would correspond torn < D^D^m'. This 
has now the exact shape of its intuitive meaning which is "in context m agent A believes that agent 
B believes that m'". Examples such as T,m \~m rn' make more sense when M is a Heyting algebra. 
For instance, the sequent m, A, q, B, m! \~m rn" can be read as: "in context m, agent A believes that 
after action q agent B will believe that, in context m' , proposition m" must hold". This reading shows 
that, as already mentioned in the introduction, our sequent calculus expresses two forms of resource 
sensitivity. One is the use-only-once form of linear logic lfl7l that comes from the quantale structure on 
epistemic actions, which we called dynamic resources. The other form deals with epistemic resources: 
the resources available to each agent that enable him to reason in a certain way (i.e. to infer a conclusion 
from some assumptions). These resources are encoded in the way the context appears to the agent in 
sequents, for instance V in the sequent T, A, V \~m rn is the context, and hence /J^(r) is the resource 
that enables agent A to do the V \~m rn reasoning. Note that F' \~m rn might not be a valid sequent in 
the context T, but it is valid in the context given by T's appearance to agent A. 

Theorem 4.1 (Soundness) The rules presented in this section are sound with respect to the algebraic 
semantics in terms of distributive epistemic systems. 

Proof. For the soundness of the rules we have to show that derivable sequents of the Q and A/-systems 
are valid in a distributive epistemic system, that is Q-rules are valid in the quantale part and M -rules 
(including the mixed rules) are valid in the module part. In other words, we have to prove the following 
for the Q-system 

if rh Q g then F \=q q 

and a similar one for the M-system. The proof is done by induction on the operation and applying 
the algebraic definitions and properties of the connectives to show that the rules of each system preserve 
validity of sequents. The full proof can be found in [36], here we provide the reader with the proofs 
for the rules that show the crucial features of our system: sequential composition and appearance and 
knowledge of actions in the quantale for the Q-system, and epistemic update and dynamic modality for 
the A/-system. 

i. Soundness of sequential composition. The rules for sequential composition are 

T, q u q 2 , T' h Q q ^ T Q , T A \- Q q 1 T' Q ,T A h Q q 2 

r,tfi •92,r / h-Q q Tq, T'q, Ta 1~q qx • <?2 
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To prove soundness, we have to show that if the sequent on the top line is valid, so is the sequent on the 
bottom line. Using the definition of validity, we have to show the following satisfaction statement for 
the left rule: 

If T,qi,q 2 ,T' \=q q then r, qi • q 2 ,T' \=q q 
By the definition of satisfaction in terms of Qq, we have to show the following 

If Q(T, qi ,q 2 ,T') <q then Q(T, q x • q 2 , V) < q , 

Q Q 

This is true since the application of Qq to the left hand side sequences of the top and bottom sequents 
yields equal quantale elements, that is 

Q(r, qi, q 2 , r') = Qr . qi . q 2 . Qr' = Q(r, qi . q 2 , r') 

Q Q Q Q 

For the right rule we proceed similarly and show the following satisfaction statement 

If r Q ,T A \= Q q 1 and T' Q ,T A ^ Q q 2 then T Q ,T' Q ,r A \= Q qi • q 2 

which is by definition equivalent to the following Qq statement 

If Q(T Q ,r A )< qi and 0( r Q' r ^)^2 then Q(T Q , T' Q , T A ) < q x . q 2 

Q Q Q 

We first assume that we have only one agent in our agent context, that is F A = A and we have to show 
the following 

If fA(Qr)<<li ^d f Q A {QT' Q )<q 2 then ft (Q T q . Q T' Q ) < q x . q 2 

Q Q Q Q 

Assume that the precedent holds, by order-preservation of the multiplication on the quantale we can 
multiply both sides of these inequalities and we get 

f^{Or)'ft(Or' Q )< qi .q 2 , 

Q Q 

By the relation between appearance maps and multiplication on the quantale eq.(Q~|) we have 

^(O r -O r b)<^(O r )'/A(O r b) 5 hence /«(Qr • QV Q ) < Ql . q 2 . 

Q Q Q Q Q Q 

which is exactly what we wanted to prove, that is the validity of the bottom line of the rule. If F A has 
more than one agent T A = A\ , . . . , A n then we have to show that if 

/£(tf(-£(O r )))s« - /?,(/.? a (-/.?„(Or«)))<« 

Q Q 

then 

fZ (/? 2 (■■•/?„ (O r Q * O T q) ) ) < 91 • 92 ■ 




The proof for this case is done similarly, except that after multiplying the two sides of the assumption 
by •, we have to apply the inequality for fj. and the quantale multiplication n times, that is once for 

each agent Ai € T A , starting from the innermost one f An and ending with the outmost one f A . 

ii. Soundness of appearance and knowledge of actions. The rules for the appearance map are 



q',A,T h Q q Q ^ T h Q q Q 

f%'),Th Q q lA T,A\- Q fi(q) * A 



By using the satisfaction relation and definition of Qq, soundness of the left rule follows from definition 
of Qq between an agent and an action. This is because Q)q{q' ,A, Y) is equal to f A (q') • OqF, for 
which by the top line we have f A (q') • OqT < q. The right rule follows by the order preservation of 
f A , that is if OqT < q then we have /^(OqT) < f A (q), which is the meaning of the bottom line. 
The rules for knowledge on the quantale are: 

q', r hn q T,A\~nq 

■ ' u A L - V- n A R 



n%q',A,T\- Q q rh Q D^ 

For the left rule assume q' • QqT < q, and we have to show /^(D^ q') • QqT < q. By composition 

of adjoints on the and D^, we have /^(D^ q') < q' . We multiply both sides of this by QqTq and 

we get /^(D^ q') • QqT < q' • OqT and this is by the top line assumption less than q, so we have 

fj[(P2 q') • OqT < q' • QqT < q. For the right rule our top line assumption is (OqT) < q 

which is by adjunction equal to OqT < D^j q. Note that this rule is also sound on the other direction, 
that is the bottom line implies the top line. 

iii. Soundness of epistemic update. The rules for epistemic update are 

m',q,F Km m ^ T,T A \- M m Tq,Ta Kq q 

m'-q,T\- M m Y,Yq,Y a \- m m ■ q 

The soundness proofs for these rules use the definition of validity and satisfaction of M-sequents, which 
is based on the Qm operation. So for the left rule we have to show the following 

If m', q, T \=m rn then m' ■ q,T \=m m 

which is by definition equivalent to the following 

if Q{m, r ) - m then GX m ' ■ ?> r ) ^ m 

M M 

This holds since OmKi?^) = G>M( m ' " 5>r) = ( m ' ' Q) A G>m^- Proceeding similarly, for the 
right rule we have to show the following 

If 0( r ' r ^ m and Q( T Q^A)<q then Q{T, Tq, T a ) < m ■ q 

M Q M 

In order to do so, we first assume that we have only one agent in our agent context, that is T A = 
A. By the first assumption of the top line we have f A (©M^) — m and W tne secon d assumption 
we have I a {QqYq) < q. Since update is order preserving, we can update both sides of these two 
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assumption by each other and get /^(Om^) ' /a (Oq^q) — 771 ' ?• Now by update inequality we 
have /^(0 M r • OqTq) < f¥(0 M r ) • fi (Qq t q) <™-q, which is what we want for the bottom 
line and we are done. If we have more than one agent, that is Ta = A\, . . . ,A n , then we follow the 
same line except that we have to apply the update inequality n times, starting from the innermost agent 
A n to the outmost one A\, that is 

M Q 

iv. Soundness of dynamic modality. The rules for dynamic modality are 

m! h M m T Q h Q q r,gh M m 

M , F i D y L Fu — n - D v R 

[q\m ,Yq\- m m T\- M [q\m 

For the left rule we start from the second assumption Qq Tq < q, since update is order preserving, we 
update [q\m! on both sides and we get 

[lW ■ QT Q < [q]m' ■ q 
Q 

Now by adjunction between update and dynamic modality we have that [q]m' ■ q < m' and by the first 
assumption of the top line we have m! <m and by transitivity we get 

[q]m' ■ QV Q < m 
Q 

which is exactly what we want for the bottom line. We proceed similarly for the right rule, the 0m 
definition of the top line assumption says Q M T ■ q < m, which is by adjunction equivalent to Q M T < 
[q]m and the Qm definition of the bottom line. Note that this rule holds in both directions, that is bottom 
line implies the top line. 

Theorem 4.2 (Completeness) The rules presented in this section are complete with respect to the al- 
gebraic semantics in terms of distributive epistemic systems. 

Proof. We show that if a sequent is valid in any distributive epistemic system then it is provable using 
the rules of our Q and M-systems. That is, 

if T \=q q then F Hq q, and if T \=m m then T fn . 

We show the contrapositive by building two Lindenbaum-Tarski algebras: Mq of equivalence classes of 
M-formulas over =m and Qq of equivalence classes of Q-formulas over =q and define an order relation 
< between them as h on their corresponding system. Similalry, we define all the algebraic operations 
of epistemic systems A, V, /a, Qa, ■,[],• on the quantale and module in terms of their sequent calculus 
counterparts, and show that these operations are well-defined over equivalence classes of formulas by 
using our sequent rules. We then show that these operations satisfy the finite versions of the equations 
of a distributive epistemic system. That is, the same axioms but with binary joins (and meets) instead 
of arbitrary ones. Thus we have shown that (Mo, Qo, {fA}AeA) constitutes a distributive pre-epistemic 
system, one with binary joins. In order to extend our proof from this distributive pre-epistemic system to 
a distributive epistemic system (with arbitrary joins), we proceed by an ideal construction. We build the 
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family of ideals over Mq and Qo, denoted by M and Q, and then show that (M, Q, {/a}ag^i) faithfully 
embeds (Mo, Qo, {/a}ag.a) and thus it is a complete model of our sequent system. 

The full proof is presented in 1361 . here we proceed by providing the reader with some examples. In 
Qo the order is the logical consequence of Q-sequents and the quantale operations are defined using the 
syntax of Q-formulas. Appearance maps and knowledge on Qo are defined using the /? maps of the 
Q-system as follows 

fS(M) ■=[!%)] and n%} = p%q] 
We have to show that these are well-defined, that is 

if [qi} = [q' 1 ] then [f%i)] = {/%[)] , and if = [q[} then [□ J ?1 ] = [□ J q[] 
or in logical consequence terms 

if fchgHgi then f% x ) F-qH (ft) , and if <?i HqH q[ then □« 9l h Q H . 
The proof trees for well-dennedness of appearance are as follows 

^ h Q ?! f Q fi gi h Q ^ f Q R 

Qi,Ah Q f%[) JA q[,Ah Q f%( qi ) JA 

f%l) f%i) f%'i) f%i) 

Similarly, the proof trees for well-definedness of knowledge are 

I t Ass. ~i j Ass. 



It remains to show that appearance and knowledge are adjoint, that is 

\f%)]<[q'] iff [q]<p Q A q'\ 
The two proof trees for these follow 

-TV 7 Id —r Id 

Ass q h Q g U Q L q ^ q f Q R Ass 

^ Q dfr • Uy^ Q q> Q A Cut q,A, Q f%) A m^l QCut 



g» A h Q {_ q l " q,Ah Q q' 

f%)^ Q q' A q^QO Q A q 



We now have to show that our operations satisfy the binary versions of axioms of epistemic systems. 
For example that the appearance maps on Q preserve binary joins, that is 

[f%iV q2)] = [f%i)V f%2)] 
The proof of the first direction of this equality is as follows 

— r Id — r Id 

^ h Q gi f Q R h Q ^ f Q R 

q u Ah Q fQ{q x ) jA ^ q2,Ah Q f% 2 ^ JA 



VR1 75 — - 75 Vi?2 

glVg 2 ,Ar- Q /Q( gi )V/Q( g2 ) V 

tf(ftVg 2 )r- Q /«fe)V/J(g 2 ) /a 
20 



Similalry, the proof tree for the second direction is 



— r Id — r id 

91 l"Q 91 92 \~Q 92 



9iH Q giV^ 2 q 92 l~Q 91 V 92 



/?(9l)V/Jfe)r- Q /J(g lV92 ) 

The same constructions are done in the model built out of syntax of the M-system, that is in Mq where 
the order is \~m- The meet, join, appearance and knowledge modality of Mq are defined using their 
counterparts in the M-system, but for update and dynamic modality, we need to use both M and Q- 
systems. The update is defined on the pair (Mo, Qo) using the update operator of our M-systems as 
follows 

[m] ■ [q] := [m ■ q] 
We have to show that it is well-defined, that is 

If [m] = [m'\ and [q] = [q'] then [m ■ q] = [m! ■ q'\ 

The proof tree for one direction of this equality is as follows 



m\- M m q R 

m, q\- M m' ■ q^_ 



m-q\- M 



The proof tree for the other direction is drawn similarly. It is easy to prove that update preserves binary 
joins of both Mq and Qo and the unit of Qq, and that it is associative over multiplication of Qq. The 
dynamic modality of Mq is defined in the same way by using the dynamic modality of the M-system 
and proved well-defined and adjoint to update. 

So far we have shown that (Mo, Qo, {/a}ag^) is a distributive pre-epistemic system with regard 
to which M and Q-systems are complete. We extend this proof to distributive epistemic systems by 
embedding this structure into an epistemic system (M, Q, {/aIaga) by taking M = Idl(Mo) and 
Q = Idl(Qo) where Idl(Mo) is the family of ideals over Mo and Idl(Qo) is the family of ideals 
over Qo- A subset of a lattice is called an ideal if it is non-empty, downward-closed, and closed under 
finite joins. The order < on ideals is given by inclusion, the arbitrary meet of ideals /^ij is given by 
intersection of ideals /«, while the arbitrary join \J \Ii of a family of ideals is the ideal generated by 
their union, which is the downward-closure of the set of all finite joins of elements of these ideals. For 
example, the join in Q is given by 

i 

The rest of operations, that is /a for both M and Q, also • and • are extended to ideals by applying 
them pointwise and then taking the downward closure. For instance, the appearance of ideals on Q is 
defined as follows 

Sid) = ![{/?(«) I 9 € /}] 



Y finite 
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We have to show that these operations are ideal preserving, that is for example, the join of ideals \J .Ji 
is an ideal. Downward closure follows from the definition. For closure under joins assume that x, y G 
\/ ih, then x <\JY\ and y < \J Y 2 , for Y\, Y 2 finite subsets of the unions of 7j's, that is Y\ C I\ and 
Y 2 C J 2 . We have x V y < (V *i) V (V I2) = V(*i v ^2). since >i V y 2 C J x U J 2 , it is also a finite 
subset of union of Ij's and thus V(^i V ^2) * s an element of Vi^ - Since x V y lives in the down set of 
VOa V Y 2 ), we obtain x Vt/ € Vj-^- The proofs for other operations are done similarly, see [36]. The 
units of these operations are extended to ideals, the unit of multiplication is jl, the unit of appearance 
and join of Q and M is {_!_} for the bottom of each accordingly, the unit of their meets is the ideal 
generated by the whole of Qq and Mo, that is Qq and Mq themselves. These ideals satisfy the axioms 
of epistemic systems, for example appearance of ideals of Qq preserves arbitrary joins of them. These 
are straightforward proofs and follow from the definition, for example for appearance of ideals of Qq 
we have to show 

f1{\Jli) = \/ fi{h) 

i i 

We start from the left hand side 

lS(\Jli) = |{/J(V^)l^isanideal} 

i i 

= |{/J(V y )l yfinite ^U J <} 

i 

= HVtf( y )i yfinite ^U 1 ^ 

i 

which is equal to \/ i (Ij). The proofs for other axioms are done similarly and from them it fol- 
lows that (M, Q, {/aIaga) is an epistemic system. It remains to show that Mo and Qq are faithfully 
embedded into M and Q. The embedding Qq <-^> Idl(Qo) is defined as q 1— and similarly for 
Mo > Idl{Mo) as m 1— »jm . We show that this embedding is a homomorphism (thus it is faithful) in 
both M and Q. We show this, for example in Q and for q%,q 2 € Qq, by checking the following 

e (<?i)\/ e(g 2 ) = e(<?i V q 2 ) 

e(qi) /\e{q 2 ) = e(q% A q 2 ) 
e(qi)»e{q 2 ) = e(qi • q 2 ) 
71(e(q)) = e(f%)) 

We present the proof for the appearance maps of Q, where we have to show f®(lq) = I/4 (<?)• By 
definition of appearance of ideals, this is equivalent to show the following 

l{f2(x) I Vx eiq} = [f%) 

For the first direction, we take an element of the right hand side x < f^{q) and since q < q, we have 
f2(l) ^ /a (J-?) anc ^ we § et x e /a CI?)- For tne otn er direction, we take an element of the left hand 
side x € (|g), which means x < f^(y) for some y < q. Since is monotone, we apply it to both 
sides of y < q and we get f®(y) < f^{q), so we have that x < f®(q), that is an element of the right 
hand side. 
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Since the distributive pre-epistemic system (Mo, Qo, {/ajAg.4) with binary operations was a com- 
plete model of our systems and the embedding is a homomorphism, we obtain that the distributive epis- 
temic system (M, Q, {f A } A ^ A ) inherits completeness. That is, we have the following for the Q-system 
and a similar one for the M -system 

If Tq q then e{QT Q ) £ Q e{q) 

Q 

To see this, note that from Tq q and completeness of the Qo system, it follows that 0q Tq ^q q. 
Since the embedding is a homomorphism, we have that [Qq Tq Cq iff Qq T <q q, from this we 
get that Q Q T q ^ Qo q implies e(Og Tq) £q e(q). □ 



Example of derivation. Action-Knowledge Lemma and Prediction of Knowledge. The lemma is as 
follow^ 

n A [f%)]m\-[qp A m. 

It uses an agent's knowledge about the effect of his appearance of an action, that is A [f^[q)]m to 
derive his knowledge about the effect of the action itself, that is [gjn^m. It can also be seen as a result 
about permutation of epistemic U A and dynamic [q] modalities up-to-appearance of actions f A (q). 
Proof. The proof tree is as follows 



[f$(q)]m h M [f$(q)]m M g h Q q U Qr mh M m M f$(q) hq f$(q) ™ ^ 

uf[f%{q)}m,A^ M [f%{q)}m A q,Ah Q f$( q ) A [f%)]m, f%) h M m £ " 

\f Q Aci)U-f Q Aq)^Mm ' 

MCut 



Uf[f%)]m, q, A h M [f%)]m ■ f%) [/£(?)]"» • /a (?) m 



^\f%)]m,q,A\- M m ^ r 

□jf[^(g)]m,gh M Uf m A 

7^ DyR 

(«)]"» h* [qp%m 



Example of an application. We present the proof tree of the property that we proved for the MITM 
cryptographic attack in the algebra section. In order to encode the scenario in the sequent calculus, 
we have to add axioms for our appearances, facts, and kernel assumptions. For the appearance of 
propositions we have the following axiom schema for the M-systems (we refer to all these assumption 
axioms as Ass.): 

m,A\- M m! ASS ' iff ff(m) = m! 
Similarly, the following is the axiom schema for the appearance of actions in the Q-system 



g,AI-W iff f%) = q' 

For the kernel of actions, we have the following schema 



m,q\-M -L ' iff m = Ker(q) 
6 It corresponds to a non-Boolean version of the so-called "Action-Knowledge Axiom" of BMS 1 6 1. 

23 



and finally we encode the entailment between propositions and facts m < tp via the following schema 

Ass. 



iff 



m < <f 



We encode the cryptographic attack scenario by instantiating these axioms. The axioms for the facts 
P, P and propositions s, t will be the following 



sh M P 



Ass. 



t\~M P 



Ass. 



We considered the kernel of four actions {a, a', (3, [3'} encoded as follows 



P,a \- M -L 



Ass. 



P, a' h M J- 



Ass. 



P,P^M 



Ass. 



P,P H M 1 



Ass. 



The encoding of the appearances of the propositions and actions to our three agents {A,B,C} is 
straightforward, for example the ones used in the proof are encoded as follows on the M-system 



s,A \- M s 



Ass. 



s, B \~m s V t 



Ass. 



and as follows for the actions in the Q-system 



a, A hn a' 



7 Ass. 



a,Bh Q (3' 



7 Ass. 



a', B h Q a 



7 Ass. 



We prove that in the real state s and after communicating the secret P or P via the action a V (3, agent 
A knows that B knows that P holds, that is s ■ (a V /?) h M d a D B p - 0ne crucial part of the proof 
is cut with an update formula and then the application of the left and right update rules to reduce the 
update to the assumptions axioms. The trick is to cut a sequent that looks like m, q, A \~m m" with an 
update formula ml ■ q' the proposition part of which is the appearance of the proposition on the left hand 
side, that is f^(m) = m! , and the action part of which is the appearance of the action on the left hand 
side, that is f^(q) = q' ■ The other important part of the proof is cutting with _L and using the kernel 
assumption axioms. The steps of the proof are more or less the same as in the algebra. The proof tree is 
as follows (in order to fit it in the page we had to draw two of its sub-trees III and 112 separately) 

m 

A a a ASS 

8,B\- M sVt ' a',Bh Q a' ' sVt,a' h M P 

~ 'P ~ — ~ ~ ~ •L 



s,a',B h M (sVt)' a' 



(s Vt) • a' \- M P 



s, A \- M s 



Ass. 



a,Ahq a 



s,a, A \~m s ■ a' 



Ass. 
■R 



s,a',B\- M P 



MCut 



s,a' h M nf P 



~M U B 



s,a,Ah M P 



■L 

MCut 



n M r> 
M n M ^ A 1X 



~ ~ L_ i — iiW i — iiW D 

s,a \- M o A n B p 



112 



S'(aV)3) h A f 



\/ML 



■L 



The sub-proof trees III and 112 are below 
ni : 

Ass 



t\- M P 



=■ Ass. 



P,a' \- M ± 



sh M P 
s, a' \- M P 



fact 



t, a' \~m -L 



Ass. 
MCut 



-L l~M P 



t, a' h M P 



MCut 



sVt,a' \- M P 



VL 
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112 : 

rr rr MCW 

s ,/3h M n^n^p 



5 Conclusion and further elaborations 

We have developed an algebraic axiomatics in terms of a simple mathematical object: a sup-lattice 
M, which encodes epistemic propositions and facts; a quantale Q (acting on M) which encodes epis- 
temic actions (and the updates induced by them); and a family of (lax-)endomorphisms of the structure 
(M, Q, \f M , Vqj 1)> encoding the agents' information states. From this structure many useful other 
modalities arise, including dynamic modalities, epistemic modalities and residuals. This algebraic ax- 
iomatics is a dynamic epistemic logic and generalizes the BMS logic of |JSJ to non-Boolean settings, 
while capturing the same concepts, and enriches it with a logical account of dynamic and epistemic 
resources in terms of actions and agents. We have presented a sound and complete sequent calculus 
that enables us to deal with dynamic epistemic scenarios using semi-automatic proof techniques. As 
examples of application, we have encoded and analyzed a classic epistemic puzzle (Muddy Children) 
and some of new variations of it with lying and cheating children, and proved the correctness of a 
simple security protocol, both algebraically and by a proof in sequent calculus. Some possible further 
elaborations on this line of thought follow. 

• In this paper, following dynamic epistemic logic, we dealt with the same update schema for all 
agents. This is a postulate of "uniform rationality" and it means that the mechanism for infor- 
mation update is the same for all agents. It makes sense, if not being necessary, to consider 
personalized updates, where each agent updates his information in a different way than other 
agents do. We think that such personalized updates could be better dealt with by moving to a cat- 
egorical framework. More explicitly, we are working in an enriched categorical setting where a 
quantale Q is a one-object quantaloid, i.e. a one-object sup-enriched category, and agents' person- 
alized updates A4a are sup-enriched functors. Appearance maps arise as lax sup-enriched natural 
transformations between the update functors. It would be interesting to compare our categorical 
approach with coalgebraic epistemic features which are currently studied e.g. 0. 

• The Kripke semantics of a dynamic epistemic logic has been used as an alternative to BAN 
logic [8] to reason about security protocols e.g. in |[23l . As shown in [36] ch. 5, our alge- 
braic setting provides an elegant frame work that facilitates these security applications. We would 
like to extend the domain of such applications to be able to encode and prove the correctness of 
open security protocols, for example by adding more types to our setting through a quantaloid 
enrichment 071 . 

• Approximation and probability. We can conceive the modules in our setting as a more general type 
of partial orders than merely an algebraic logic. We can accommodate additional computational 
structure e.g. a domain structure lfl3l . quantitative valuations of content Il20ll29l . or a combination 
of these which enables accommodating probabilities e.g. the partial order on probability measures 
introduced in [9] is defined in terms of a Bayesian update operation. This development would 
also be of help in applications to security. 

• Part of the motivation of this work was a marriage of epistemics and resource-sensitivity ll28l . 
Although we have introduced dynamic and epistemic resources in our setting, we would like to 



25 



refine our logic and make it more resource-sensitive by relativizing our notion of "consequence" 
to "logical" actions available to agents. This will allow us to deal with classical resource sensitive 
problems such as the problem of logical omniscience. The two examples below might provide 
useful insights, fragments and tools, (i) In the money games of ll25l the resource, i.e., money 
x G M + , is encoded using the quantale structure of M + as a base for enrichment. The under- 
lying lattices are free lattices which adds linearity to the propositions. They moreover admit a 
game-theoretic interpretation |[25l . (ii) The logic of bunched implications of [32 ] also provides 
a model to to handle resources which freely combines intuitionistic additive and multiplicative 
linear structure via contexts. The semantics in terms of Grothendieck sheaves of the additives 
again indicates a monoid-enriched structure in the sense of ll37l . 

• We would like to optimize our logic such that it has the cut-elimination property, this will in- 
volve change of rules and might need a change of system. For example, and as suggested by our 
referee, an option would be to use the deep inference deductive system in the calculus of struc- 
tures |[T8l . We would also like to develop a boolean version of the sequent calculus presented 
here for concrete epistemic systems and prove its completeness with regard to Kripke semantics. 
Such a development will lead to a more refined version of our Theorem l3.3l for a boolean dynamic 
epistemic logic. 
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